Pitney Bowes customer and employee data leaked publicly - 8.2 million email addresses plus internal records with employee job titles

Pitney Bowes customer and employee data was leaked publicly after the company refused to pay ShinyHunters' extortion demand. Have I Been Pwned added the breach yesterday with 8.2 million unique email addresses, plus names, phone numbers, and physical addresses. A subset includes Pitney Bowes employee records with job titles - a useful starter pack for highly-targeted phishing against named staff. The data came from a misconfigured Salesforce Experience Cloud 'Guest User' permission that let unauthenticated visitors query CRM records directly. ShinyHunters had posted Pitney Bowes on its leak site April 18 with a three-day deadline.

Check

If your organization uses Salesforce Experience Cloud, audit Guest User permissions today and remove read access from CRM objects that don't need to be public.

Affected

Pitney Bowes customers (8.2M email addresses, names, phones, addresses now public) and employees with job titles in the leak. Any organization running Salesforce Experience Cloud with default Guest User permissions has the same exposure - this is a configuration failure, not a Salesforce flaw.

Fix

Run Salesforce's Guest User Permissions report and tighten anything reading customer or contact data. Confirm no Experience Cloud public site exposes Account, Contact, Lead, or Case objects without a clear public-data reason. Pitney Bowes employees should treat 'CEO needs you to wire' messages with extra suspicion - your name and title are now public.